You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by aa...@apache.org on 2021/07/10 05:42:12 UTC
[hadoop] branch branch-3.2 updated: HADOOP-17793. Better token
validation (#3189)
This is an automated email from the ASF dual-hosted git repository.
aajisaka pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/branch-3.2 by this push:
new 6c7f192 HADOOP-17793. Better token validation (#3189)
6c7f192 is described below
commit 6c7f192f0fedc9abe83b2758fab3863cdc5e4717
Author: Artem Smotrakov <ar...@gmail.com>
AuthorDate: Sat Jul 10 06:42:31 2021 +0200
HADOOP-17793. Better token validation (#3189)
Signed-off-by: Akira Ajisaka <aa...@apache.org>
(cherry picked from commit ba325a8ada573291266c4d6447862072fdf88af5)
Conflicts:
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
---
.../src/main/java/org/apache/hadoop/security/token/Token.java | 6 +++---
.../hadoop/hdfs/security/token/block/BlockTokenSecretManager.java | 3 ++-
.../server/nodemanager/containermanager/ContainerManagerImpl.java | 4 ++--
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
index 6df62fa..cd12599 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
@@ -34,7 +34,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.*;
-import java.util.Arrays;
+import java.security.MessageDigest;
import java.util.Iterator;
import java.util.Map;
import java.util.ServiceConfigurationError;
@@ -419,8 +419,8 @@ public class Token<T extends TokenIdentifier> implements Writable {
return false;
} else {
Token<T> r = (Token<T>) right;
- return Arrays.equals(identifier, r.identifier) &&
- Arrays.equals(password, r.password) &&
+ return MessageDigest.isEqual(identifier, r.identifier) &&
+ MessageDigest.isEqual(password, r.password) &&
kind.equals(r.kind) &&
service.equals(r.service);
}
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
index 9f21baa..47c007f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
@@ -22,6 +22,7 @@ import com.google.common.base.Charsets;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
+import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.EnumSet;
@@ -407,7 +408,7 @@ public class BlockTokenSecretManager extends
+ ", block=" + block + ", access mode=" + mode);
}
checkAccess(id, userId, block, mode, storageTypes, storageIds);
- if (!Arrays.equals(retrievePassword(id), token.getPassword())) {
+ if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
throw new InvalidToken("Block token with " + id
+ " doesn't have the correct token password");
}
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
index 17af7ec..05aa339 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
@@ -171,8 +171,8 @@ import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
+import java.security.MessageDigest;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
@@ -1233,7 +1233,7 @@ public class ContainerManagerImpl extends CompositeService implements
containerTokenIdentifier);
byte[] tokenPass = token.getPassword().array();
if (password == null || tokenPass == null
- || !Arrays.equals(password, tokenPass)) {
+ || !MessageDigest.isEqual(password, tokenPass)) {
throw new InvalidToken(
"Invalid container token used for starting container on : "
+ context.getNodeId().toString());
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org